NULL deref in blink::WebRemoteFrameImpl::addReplicatedContentSecurityPolicyHeader |
|||||||
Issue descriptionChrome Version: 56.x, 57.x OS: Windows What steps will reproduce the problem? (1) Try to reproduce the browser crash in bug 694382 . What is the expected result? Hit the browser crash. What happens instead? Hit a renderer crash: (chrome_child.dll -webremoteframeimpl.cpp:446 ) blink::WebRemoteFrameImpl::addReplicatedContentSecurityPolicyHeader(blink::WebString const &,blink::WebContentSecurityPolicyType,blink::WebContentSecurityPolicySource) (chrome_child.dll -render_frame_proxy.cc:376 ) content::RenderFrameProxy::OnAddContentSecurityPolicy(content::ContentSecurityPolicyHeader const &) (chrome_child.dll -ipc_message_templates.h:121 ) IPC::MessageT<FrameMsg_AddContentSecurityPolicy_Meta,std::tuple<content::ContentSecurityPolicyHeader>,void>::Dispatch<content::RenderFrameProxy,content::RenderFrameProxy,void,void ( content::RenderFrameProxy::*)(content::ContentSecurityPolicyHeader const &)>(IPC::Message const *,content::RenderFrameProxy *,content::RenderFrameProxy *,void *,void ( content::RenderFrameProxy::*)(content::ContentSecurityPolicyHeader const &)) (chrome_child.dll -render_frame_proxy.cc:296 ) content::RenderFrameProxy::OnMessageReceived(IPC::Message const &) Sample crash IDs: 6c53c41640000000, c8e328fd60000000, 844e501640000000
,
Mar 28 2017
,
Mar 28 2017
,
Mar 28 2017
I added DCHECK(frame()) and that failed.
,
Mar 28 2017
If I handle that, I get another NULL frame in WebFrame::insertAfter(), and after than, in blink::WebRemoteFrameImpl::createRemoteChild(). This is with the .rar file in the previous bug.
,
Mar 29 2017
Reproduced on Linux too. I tried to understand the .rar file in the previous bug. It uses multiple windows, the unload event, weird scripts and the print() function is called several times. It is a little bit complicated. So I tried to reduce the testcase to something I can understand. Finally, here is a much more minimal test: ``` <body onUnload="print()"></body> ``` It speaks for itself. I am not sure it is 100% related, so I filled a bug here: https://crbug.com/706319 There is a segfault and the last two called functions are: #4 0x2b034f770c49 blink::Frame::setIsLoading() #5 0x2b034f770523 blink::WebRemoteFrameImpl::didStopLoading() FYI: I only have tried it on linux with the latest commit(4b80ef168dc0dbeef5acf70771884678ce65fe00)
,
Aug 3 2017
It looks like https://crbug.com/694382 and https://crbug.com/706319 cross-referenced here are both fixed. OK to Fixed this one too?
,
Aug 4 2017
This seems like fixed in https://codereview.chromium.org/2863203002.
,
Mar 19 2018
,
Jul 4
Crash analysis has not encountered any reports for this bug for the past 90 days. We have added the label 'crash-BugNoRepro' Crash analysis will be automatically closing the bug in 10 days. If you do not want Crash analysis to automatically close the bug, please remove the label 'crash-BugNoRepro'. If you have any feedback on this feature, please contact pranavk@
,
Jul 4
|
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by thestig@chromium.org
, Mar 28 2017